Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax39 min readDeep Dive

Two-Factor Authentication for Tax Software: Setup Guide

Set up two-factor authentication for tax software and meet IRS Security Six requirements. Platform-by-platform guide for Drake, CCH, Lacerte, and more.

Two-Factor Authentication for Tax Software: Setup Guide - two factor authentication tax software

Why Two-Factor Authentication Is Required for Tax Software

Tax professionals handle some of the most sensitive data in any business sector: Social Security numbers, bank account details, W-2s, and financial records for thousands of clients. A single compromised login to your tax software exposes this entire dataset to attackers, triggering regulatory penalties, client notification obligations, and lasting damage to your firm's reputation.

The IRS Security Six framework, detailed in IRS Publication 4557, mandates that all tax professionals implement multi-factor authentication as a foundational access control. This requirement applies whether you use Drake Tax, Lacerte, ProSeries, UltraTax CS, CCH Axcess, or any other professional tax preparation platform. For a full breakdown of what the IRS expects from your firm, see our overview of IRS cybersecurity requirements for tax preparers.

Failing to implement two-factor authentication for tax software leaves your practice exposed to the credential-based attacks that dominate modern cybercrime and places you in direct violation of federal security requirements governing every CPA and accounting firm that handles taxpayer data. This guide covers the technical foundation, platform-specific setup procedures, and real-world implementation strategies you need to deploy 2FA effectively across your practice in 2026.

2FA Security: By The Numbers

99.9%
Of Account Compromises Prevented by MFA

Microsoft Security Blog

$4.88M
Average Data Breach Cost in 2024

IBM Cost of Data Breach Report 2024

68%
Of Breaches Involve the Human Element

Verizon 2024 Data Breach Investigations Report

What Is Two-Factor Authentication and Why Does IRS Security Six Require It?

Two-factor authentication (2FA) is a security mechanism requiring users to provide two distinct verification factors before gaining access to systems containing sensitive information. For tax professionals, implementing 2FA on tax software represents a foundational access control that dramatically reduces the risk of unauthorized access to client records and tax preparation data.

The IRS Security Six framework identifies six essential cybersecurity controls that all tax preparers must implement to protect nonpublic personal information (NPPI). Two-factor authentication serves as the primary access control layer within this framework, working alongside antivirus protection, firewall security, secure backups, drive encryption, and VPN security to create defense-in-depth protection.

How Authentication Factors Work

Authentication security relies on three distinct factor categories:

  • Something you know: passwords, PINs, or security questions
  • Something you have: physical tokens, smartphone apps, or smart cards
  • Something you are: biometric identifiers like fingerprints or facial recognition

True two-factor authentication requires factors from two different categories. A password combined with a security question does not constitute 2FA because both fall under "something you know." A password paired with a code from a smartphone authenticator app provides genuine multi-factor security by combining something you know with something you have.

According to NIST Special Publication 800-63-3, this combination achieves Authenticator Assurance Level 2 (AAL2), providing strong protection against credential theftphishing attacks, and password database breaches that regularly compromise tax practices.

Enterprise 2FA Deployment: Step-by-Step

1

Inventory All User Accounts

List every account that accesses tax software, client portals, email, and document management systems. Identify who has access to taxpayer data and what authentication methods are currently in place.

2

Select Authentication Methods

Choose TOTP authenticator apps for most staff and FIDO2 hardware security keys for administrative accounts. Avoid SMS-based codes for accounts holding taxpayer data.

3

Configure Platform Settings

Enable multi-factor authentication in each tax software platform's admin console. Where available, set enforcement policies so users cannot bypass 2FA requirements.

4

Enroll All Users

Run a structured onboarding process. Schedule sessions for staff to pair authenticator apps or hardware tokens. Document each enrollment with date and method used.

5

Distribute and Secure Recovery Codes

Generate and securely store backup recovery codes for every account. Document the storage location in your WISP and assign a designated recovery coordinator.

6

Verify Enrollment and Monitor Logs

Confirm 100% enrollment before any deadline. Review authentication logs monthly and run quarterly access reviews to identify accounts that have not recently authenticated.

Two-Factor Authentication Methods for Tax Software: What You Need to Know

Not all 2FA methods provide equal security. Tax professionals must understand the technical characteristics and security strengths of each authentication approach before selecting what to deploy across their practice.

Time-Based One-Time Passwords (TOTP): The Industry Standard

TOTP authentication uses the RFC 6238 standard to generate temporary codes through HMAC-based cryptographic functions. The algorithm combines a shared secret key with the current timestamp to produce a 6-8 digit code valid for 30 seconds. Both the authentication server and the client device independently generate the same code using synchronized time, enabling verification without transmitting the shared secret across the network.

TOTP provides strong protection against credential theft because codes expire rapidly and cannot be reused. Unlike SMS-based codes, TOTP functions offline and is not vulnerable to telecommunication interception or SIM-swap attacks. The primary limitation is susceptibility to real-time phishing where an attacker immediately uses a captured code before it expires.

Popular TOTP authenticator apps for tax practices include Microsoft Authenticator (integrates with Microsoft 365, supports push notifications)Google Authenticator (widely supported, works with most tax platforms)Authy (offers cloud backup and multi-device synchronization), and Duo Mobile (enterprise-grade with detailed audit logs and device health checks).

FIDO2 Hardware Security Keys: Maximum Phishing Protection

FIDO2 (Fast Identity Online) authentication uses public-key cryptography where the hardware token stores a private key that never leaves the device. During authentication, the server sends a challenge that the token signs with its private key, and the server verifies the signature using the corresponding public key. This design eliminates shared secrets that attackers could intercept.

Hardware tokens provide the highest level of phishing resistance because they verify the authenticity of the login page through cryptographic domain binding. Attackers cannot trick users into authenticating to fraudulent sites because the token will only respond to challenges from registered domains. NIST SP 800-63-3 classifies hardware authenticators at Authenticator Assurance Level 3 (AAL3), the highest designation available. Practices handling high volumes of taxpayer data or managing multiple staff accounts benefit most from hardware key deployments.

SMS Text Codes: Not Recommended for Taxpayer Data

SMS-based authentication delivers one-time codes via text message. While better than no 2FA at all, SMS codes carry meaningful risks: SIM-swap attacks redirect your phone number to an attacker's device, and telecom interception can expose codes in transit. For accounts holding taxpayer data under IRS Publication 4557 requirements, TOTP apps or hardware keys are the appropriate choice. The Verizon 2024 Data Breach Investigations Report identifies SMS interception and SIM-swapping as active attack vectors against financial services targets, a category that includes tax practices under FTC Safeguards Rule definitions.

Tax Software-Specific 2FA Setup: Platform-by-Platform Guide

Each major tax preparation software platform implements two-factor authentication differently. The configuration steps below reflect current procedures for the platforms serving the majority of professional tax preparers in 2026.

Drake Tax Software

Drake Tax supports 2FA through integration with Microsoft Authenticator and Google Authenticator. To enable two-factor authentication in Drake, navigate to Setup > Security > User Security, select the user account, and enable "Require Multi-Factor Authentication." Users receive a QR code during their next login to pair their authenticator app. Store backup recovery codes offline in a secure location in case of device loss. Drake Tax also supports hardware security keys for administrator accounts through FIDO2 protocol when accessing Drake Cloud services, a configuration worth implementing for any account with administrative access to client records.

Lacerte and ProSeries (Intuit)

Intuit's professional tax software platforms use Intuit Account authentication with support for the Intuit Authenticator app (push notifications), third-party TOTP apps including Google Authenticator, Microsoft Authenticator, and Authy, and FIDO2-certified hardware security keys. Enable 2FA through your Intuit Account settings under Security > Two-step verification. A notable limitation: all users must individually enable 2FA through their own Intuit Account. Administrators cannot enforce it centrally without Intuit practice management tools, so firm-wide rollout requires direct coordination with each staff member.

CCH Axcess and Related Platforms (Wolters Kluwer)

CCH Axcess implements 2FA through its Axcess Portal identity management system. Navigate to User Settings > Security Settings, enable Multi-Factor Authentication, and select your preferred method. CCH Axcess supports authenticator apps, hardware tokens, and biometric authentication on compatible devices. Administrators can enforce 2FA requirements for all users through the Admin Portal under Security Policies, making CCH Axcess one of the more straightforward platforms for firm-wide mandatory enrollment.

Thomson Reuters UltraTax CS and GoSystem

Thomson Reuters platforms support 2FA through their CSIdentity authentication system. From the Admin Console, navigate to Security Settings and enable "Require Multi-Factor Authentication for All Users." Users configure their 2FA method at next login, choosing from TOTP apps, SMS (not recommended for sensitive taxpayer data), and hardware security keys. Thomson Reuters also offers single sign-on (SSO) integration with identity providers like Microsoft Entra ID, enabling centralized 2FA management across all firm applications. This approach is particularly valuable for practices using multiple Thomson Reuters products alongside document management systems and client communication portals.

For practices that need to document these configurations as part of their PTIN renewal or WISP obligations, our guide on PTIN and WISP requirements for tax preparers covers exactly what regulators expect to see.

2026 IRS Compliance Requirement

The IRS Security Six framework requires all tax preparers to have multi-factor authentication active on all systems accessing taxpayer data. This is not a future requirement; it is currently enforced as part of PTIN renewal reviews and IRS audits. Firms without documented 2FA implementation face potential penalties and PTIN suspension. Your Written Information Security Plan (WISP) must document your 2FA policy, approved methods, and enrollment procedures to satisfy IRS review.

Tax Practice 2FA Implementation Checklist

  • Inventory all user accounts with access to tax software and taxpayer data
  • Select TOTP authenticator apps or FIDO2 hardware keys as primary authentication methods
  • Enable 2FA enforcement in each tax software platform's admin console
  • Enroll all staff members and document enrollment dates and methods used
  • Generate and store backup recovery codes in a secure, offline location
  • Configure session timeout policies to require re-authentication after inactivity
  • Set up monthly authentication log review with an assigned reviewer
  • Document your 2FA policy, approved methods, and recovery procedures in your WISP
  • Train all staff on recognizing MFA fatigue attacks and push notification abuse
  • Schedule quarterly access reviews to verify 100% enrollment is maintained

Advanced 2FA Strategies: Passwordless Auth and Adaptive Security

Tax practices deploying two-factor authentication today should also understand where authentication technology is heading, both to future-proof their architecture and to take advantage of stronger controls as they become available across major tax software platforms.

Passwordless Authentication

The authentication industry is moving away from passwords entirely. Passwordless systems use biometrics or hardware tokens as the sole authentication factor, removing password vulnerabilities from the attack surface altogether. Modern passwordless implementations use the FIDO2 protocol where hardware security keys or platform authenticators (Windows Hello, Touch ID) perform cryptographic operations without requiring a password at any point. Microsoft Entra ID and Google Workspace both support passwordless authentication for business applications today, enabling tax firms to eliminate password vulnerabilities while staying compliant with IRS WISP requirements.

Risk-Based Adaptive Authentication

Modern authentication platforms incorporate machine learning that assesses risk continuously and adjusts authentication requirements dynamically. Adaptive authentication evaluates device recognition and trust scoring, location analysis and travel patterns, time-based access patterns, behavioral biometrics, and application access risk scoring. This approach balances security with usability by applying stronger authentication only when risk indicators suggest potential compromise. Platforms like Microsoft Entra ID Conditional Access, Duo Beyond, and Okta Adaptive MFA bring this capability to tax software environments today. Industry analyst projections estimate that by 2026, approximately 40% of MFA solutions incorporate AI-driven behavioral analytics for access anomaly detection.

The Takeaway

Two-factor authentication for tax software is required under the IRS Security Six framework. TOTP authenticator apps meet the baseline requirement for most staff accounts. FIDO2 hardware security keys provide the strongest available protection for administrative accounts and high-risk users. The difference between compliant and non-compliant is not just which method you choose; it is whether every account that touches taxpayer data has 2FA actively enforced and documented in your WISP.

Common 2FA Implementation Challenges and How to Solve Them

Tax practices deploying two-factor authentication encounter predictable obstacles. Understanding these challenges in advance lets you implement countermeasures before they become blockers to a firm-wide rollout.

User Resistance and Adoption

Research shows 49% of organizations cite poor user experience as a barrier to MFA adoption. Users perceive authentication as workflow friction, especially when prompted multiple times daily. Resistance shows up as workarounds like storing credentials insecurely, elevated help desk call volume, and non-compliance with enrollment deadlines.

Address resistance through communication that emphasizes personal benefits: 2FA protects users' own financial accounts and identities, not just firm data. Implement adaptive authentication to reduce repeated prompts on recognized, trusted devices. Executive sponsorship matters; when partners and firm owners actively use 2FA and discuss its importance, staff adoption increases measurably.

Legacy System Integration

Many tax practices operate environments that include legacy applications lacking native 2FA support. Document management systems, older tax software versions, and custom applications frequently use proprietary authentication protocols that cannot integrate with modern identity providers without significant rework.

Authentication proxy solutions resolve this without modifying application code. Products like Azure Application Proxy, identity provider Access Gateway, or zero-trust network access (ZTNA) solutions insert 2FA requirements before legacy systems at the network or proxy layer. For systems requiring direct network access, enforce 2FA at the VPN layer so authentication occurs before any legacy system connectivity.

Mobile Device Management and BYOD

Many tax professionals use personal smartphones for authenticator apps, creating security and support challenges. When staff leave, change phone numbers, or lose devices, authentication recovery becomes complicated. Personal devices may also lack the security controls that firm data warrants.

Implement mobile device management (MDM) or mobile application management (MAM) solutions that enforce security policies on devices running authenticator apps, including requiring device passcodes, enabling remote wipe capabilities, and verifying current operating system versions. For practices with strict data handling requirements, hardware security keys eliminate BYOD complexity entirely while providing stronger security than smartphone-based apps. For complete guidance on documenting these policies, see our IRS Publication 4557 compliance resources.

Need Expert 2FA Implementation?

Our security team has helped 4,000+ tax professionals implement IRS-compliant two-factor authentication, endpoint protection, and complete Written Information Security Plans.

Building Security Beyond Two-Factor Authentication

Two-factor authentication is the single most effective control for preventing credential-based attacks, but it addresses only one attack vector. Tax practices must implement all six Security Six controls to create the layered protection that IRS Publication 4557 requires and that modern threat actors demand.

The Full Security Six Framework

The six controls work together to address different threat categories, each filling gaps the others cannot:

  • Multi-factor authentication: prevents unauthorized access even when passwords are compromised
  • Endpoint Detection and Response (EDR): detects and blocks malware, ransomware, and advanced persistent threats
  • Firewall protection: controls network traffic and prevents unauthorized access to internal systems
  • Encrypted data backups: enables recovery from ransomware attacks and catastrophic system failures
  • Drive encryption: protects client data on lost or stolen devices through full-disk encryption
  • VPN security: encrypts data transmission and secures remote access over public networks

Attackers use multiple vectors simultaneously. 2FA prevents credential theft, EDR blocks malware execution, backups enable recovery, and encryption protects data at rest. Firms implementing only 2FA remain exposed to malware delivered through phishing emails and malicious downloads that bypass authentication entirely.

WISP Requirements for 2FA Documentation

IRS Publication 4557 requires all tax preparers to maintain a Written Information Security Plan (WISP) documenting security policies and procedures. Your WISP must specifically address multi-factor authentication requirements for all users accessing taxpayer data, approved and prohibited authentication methods, account recovery procedures for lost or compromised devices, authentication log review frequency and assigned responsibilities, and user training requirements with completion documentation.

During IRS audits or PTIN renewal reviews, you must demonstrate not just that 2FA exists, but that it is properly configured, actively monitored, and universally enforced. Regulators look for documented evidence of active management, not a one-time setup that was never revisited. Download our free 2026 WISP template to get a pre-built framework that covers all Security Six documentation requirements. Our incident response planning guide covers additional requirements for handling security breaches when they occur.

Protect Your Tax Practice with Expert Cybersecurity

Our cybersecurity specialists have helped over 4,000 tax professionals implement IRS-compliant two-factor authentication, endpoint protection, and complete Written Information Security Plans.

Frequently Asked Questions About Two-Factor Authentication for Tax Software

Two-factor authentication (2FA) requires users to provide two distinct verification factors before accessing a system. For tax preparers, it means that even if a password is stolen or guessed, an attacker still cannot access tax software without the second factor, such as a time-based code from an authenticator app or a physical hardware key. The IRS Security Six framework, detailed in IRS Publication 4557, mandates 2FA as a required control for all firms handling taxpayer data.

All major professional tax software platforms support 2FA as of 2026, including Drake Tax, Lacerte, ProSeries, CCH Axcess, Thomson Reuters UltraTax CS, GoSystem, and most cloud-based tax platforms. The specific methods supported vary by platform. Drake Tax and CCH Axcess support TOTP apps and FIDO2 hardware keys. Intuit platforms (Lacerte, ProSeries) support TOTP apps, push notifications, and hardware keys through the Intuit Account system.

TOTP (Time-Based One-Time Password) apps like Google Authenticator or Microsoft Authenticator generate 6-digit codes that expire every 30 seconds. They run on your smartphone and work offline. Hardware security keys are physical USB or NFC devices that use public-key cryptography to authenticate you. Hardware keys are more phishing-resistant because they verify the website's domain before responding, making them immune to fake login pages. NIST classifies hardware keys at the highest assurance level (AAL3), compared to AAL2 for TOTP apps. Both are acceptable for IRS compliance, but hardware keys are recommended for administrative accounts.

Recovery procedures vary by platform, but the general approach is consistent. Before deployment, generate backup recovery codes for each account and store them in a secure, offline location documented in your WISP. Most platforms offer account recovery through a verified email address or an administrator-initiated reset. For hardware keys, enroll a backup key during initial setup. Assign a recovery coordinator in your firm who holds the recovery code inventory and can process access restoration requests. Document this entire process in your WISP so recovery steps are clear during an actual incident.

SMS-based authentication is better than no 2FA, but the IRS and NIST both caution against relying on SMS for sensitive systems. SMS codes are vulnerable to SIM-swap attacks, where an attacker convinces your carrier to transfer your phone number to their device, and to telecom interception. NIST SP 800-63-3 restricts SMS to lower assurance levels (AAL1) compared to authenticator apps or hardware keys (AAL2/AAL3). For accounts accessing taxpayer data under IRS Publication 4557 requirements, TOTP authenticator apps or hardware security keys are the appropriate choice.

Authenticator apps like Google Authenticator and Microsoft Authenticator are free. Most professional tax software platforms include 2FA functionality at no additional cost. FIDO2 hardware security keys typically cost $25-50 per key from vendors like Yubico (YubiKey) or Google (Titan Key). For a firm with 10 staff members using hardware keys as a backup option, total hardware costs might run $250-500. The cost of not implementing 2FA, including regulatory penalties, data breach notification, and reputational damage, far exceeds any deployment cost.

It depends on the platform. CCH Axcess and Thomson Reuters platforms allow administrators to enforce 2FA centrally through admin consoles, requiring all users to enroll before accessing the system. Intuit platforms (Lacerte, ProSeries) currently require each user to individually enable 2FA through their own Intuit Account, which means firm-wide rollout requires direct coordination with each staff member. Drake Tax supports admin-level enforcement for Drake Cloud users. For platforms without central enforcement, use your WISP policy and onboarding procedures to mandate enrollment and verify completion through authentication log reviews.

No, and this is why the IRS Security Six requires five additional controls beyond 2FA. Two-factor authentication prevents unauthorized access through stolen or guessed credentials, which is one of the most common attack vectors. However, it does not stop malware delivered through phishing emails, ransomware attacks that encrypt your files, insider threats from authorized users, or software vulnerabilities in unpatched systems. Endpoint Detection and Response (EDR), encrypted backups, drive encryption, and firewall protection address attack vectors that 2FA cannot.

Authentication frequency depends on your session timeout policy and whether you use adaptive authentication. A standard configuration requires 2FA at each new session login, which for most tax professionals means once per workday from a trusted device. Adaptive authentication systems can reduce friction on recognized devices by extending session lengths while requiring re-authentication when accessing from new locations, unusual times, or after a period of inactivity. Your WISP should specify the maximum session length and the conditions that trigger re-authentication.

Your Written Information Security Plan must document the 2FA requirement and which accounts it applies to, the approved authentication methods and any prohibited methods, account recovery procedures and who is responsible for them, authentication log review frequency and the assigned reviewer, how 2FA is verified during staff onboarding and offboarding, and annual review dates. During IRS audits or PTIN reviews, you need documented evidence that 2FA is actively managed, not just a policy on paper.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.